EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

Question2: Which best describes the difference between a type 1 and a type 2 SOC report?

Question3: Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization's architecture? The threat model:

Question4: What is true of searching data across cloud environments?

Question5: As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?

Question6: An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP). What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?

Question7: Select the best definition of"compliance" from the options below.

Question8: Customer management interface, if compromised over public internet, can lead to:

Question9: Which of the following parties should have accountability for cloud compliance requirements?

Question10: What is known as a code execution environment running within an operating system that shares and uses the resources of the operating system?

Question11: What is true of security as it relates to cloud network infrastructure?

Question12: In an organization, how are policy violations MOST likely to occur?

Question13: An IS auditor is a member of an application development team that is selecting software. Which of the following would impair the auditor's independence?

Question14: Account design in the cloud should be driven by:

Question15: To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question16: Which of the following contract terms is necessary to meet a company's requirement that needs to move data from one CSP to another?

Question17: A certification target helps in the formation of a continuous certification framework by incorporating:

Question18: To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

Question19: Which of the following is the BEST control framework for a European manufacturing corporation that is migrating to the cloud?

Question20: Which attack surfaces, if any, does virtualization technology introduce?

Question21: Which statement best describes the impact of Cloud Computing on business continuity management?

Question22: When deploying Security as a Service in a highly regulated industry or environment, what should bothparties agree on in advance and include in the SLA?

Question23: To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question24: How does virtualized storage help avoid data loss if a drive fails?

Question25: While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?

Question26: What type of termination occurs at the initiative of one party, and without the fault of the other party?

Question27: With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:

Question28: The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

Question29: When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?

Question30: Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed.
Assuming that the situation is communicated in the cloud audit report which course of action is MOST relevant?

Question31: Which communication methods within a cloud environment must be exposed for partners or consumers to access database information using a web application?

Question32: What should be an organization's control audit schedule of a cloud service provider's business continuity plan and operational resilience policy?

Question33: Which of the following would be the MOST critical finding of an application security and DevOps audit?

Question34: Which statement about compliance responsibilities and ownership of accountability is correct?

Question35: In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

Question36: An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some of the infrastructure to the cloud. Which of the following standards would BEST assist in identifying controls to consider for this migration?

Question37: What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

Question38: An audit has identified that business units have purchased cloud-based applications without ITs support. What is the GREATEST risk associated with this situation?

Question39: Your SLA with your cloudprovider ensures continuity for all services.

Question40: Use elastic servers when possible and move workloads to new instances.

Question41: Which of the following is a perceived advantage or disadvantage of managing enterprise risk for cloud deployments?

Question42: An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models. Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?

Question43: When deploying an application that was created using the programming language and tools supported by the cloud provider, the MOST appropriate cloud computing model for an organization to adopt is:

Question44: Which cloud-based service model enables companies to provide client-based access for partners to databases or applications?

Question45: You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure. Which of the following is your BEST option?

Question46: In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?

Question47: What is the newer application development methodology and philosophy focused on automation of application development and deployment?

Question48: Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the risk arising from changes to an organization's SaaS vendor?

Question49: The rapid and dynamic rate of changes found in a cloud environment affects the organization's:

Question50: Which objective is MOST appropriate to measure the effectiveness of password policy?

Question51: The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:

Question52: APIs and web services require extensive hardening and must assume attacks from authenticated and unauthenticated adversaries.

Question53: A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel. Which access control method will allow IT personnel to be segregated across the various locations?

Question54: Which of the following is the common cause of misconfiguration in a cloud environment?

Question55: Which data security control is the LEAST likely to be assigned to an IaaSprovider?

Question56: Which of the following is the BEST recommendation to offer an organization's HR department planning to adopt a new public SaaS application to ease the recruiting process?

Question57: Which of the following is the BEST tool to perform cloud security control audits?

Question58: Which of the following aspects of risk management involves identifying the potential reputational harm and/or financial harm when an incident occurs?

Question59: The BEST way to deliver continuous compliance in a cloud environment is to:

Question60: Who is responsible for the security of the physical infrastructure and virtualization platform?

Question61: In which type of environment is it impractical to allow the customer to conduct their own audit, making it important that the data center operators are required to provide auditing for the customers?

Question62: When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

Question63: Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

Question64: To ensure that integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

Question65: The BEST method to report continuous assessment of a cloud provider's services to the CSA is through:

Question66: Which of the following is an example of a corrective control?

Question67: An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:

Question68: Which of the following statements are NOT requirements of governance and enterprise risk management in a cloud environment?

Question69: Which concept provides the abstraction needed for resource pools?

Question70: Why is a service type of network typically isolated on different hardware?

Question71: How does running applications on distinct virtual networks and only connecting networksas needed help?

Question72: Which of the following cloud deployment models would BEST meet the needs of a startup software development organization with limited initial capital?

Question73: Which of the following configuration change controls is acceptable to a cloud auditor?